Thursday, 1 April 2010

We didn't exactly need anymore proof that Ecatel (AS29073) were crimeware friendly, but I came across ryan1918.com (again) earlier, and the following just kinda jumped out at me - thanks for providing the final nail in Ecatels coffin!

I've already had Ecatels ranges blocked for some time now, and I believe this should now convince everyone else to do the same. To save you some time, these are all to be blackholed;

Incase you're wondering, ryan1918.com is a site that's controlled by a criminal, and not surprisingly, is involved in everything from hacking to fraud to exploits to - well, pretty much everything blackhat/criminal, that you care to think of. The domains WhoIs is (again not surprisingly) hidden, courtesy of "MONIKER" (moniker.com), one of many registrars that in my opinion, should be shut down.

It would seem chaps and chapesses, that Ecatel were non too pleased about Ryan's post, and have since booted his site (contrary to his "hard drive failure" message, currently present on his sites homepage). His sites new IP is 174.132.192.92 (5c.c0.84ae.static.theplanet.com, AS21844 174.132.0.0/15 THEPLANET-AS - ThePlanet.com Internet Services, Inc.).

There's quite a few suspicious domains also residing here, which I'll be taking a look at in due course.

New IP = 89.248.168.47 = Ecatel.

/update 13-04-2010 12:48

This one has jumped to varying ISP's since the original article was published, including a UK based ISP (UKNOC, uknoc.co.uk) at 85.92.87.193, and has now jumped back to Ecatel (same IP as before), presumably before he finds another ISP. LE are involved with this one now however, so I'll not be following this one anymore, got to leave it to them.